table of Contents
1. Why is API interface signature required?
2. Implementation mechanism of API interface signature verification
1. Why is API interface signature required?
API interfaces that are open to the outside world will face some security problems, such as the risk of masquerading attacks, tampering attacks, replay attacks, and data information leakage. Using API interface signatures can easily prevent these security issues and risks. The following points should be considered when designing API interface signatures:
- Ensure that the requested data is correct
When the value of a certain field in the request changes, the original signature result will change. Therefore, as long as the parameters change, the signature must change, otherwise the request will be an invalid request.
- Ensure that the source of the request is legitimate
Generally, the algorithm that generates the signature will have an appKey and an appSecret in pairs, and the caller's identity can be identified based on the appKey; and whether the signature is legal can be identified based on the appSecret.
- Identify the timeliness of the interface
Under normal circumstances, the signature and parameters will contain a timestamp, so that the server can verify whether the client request is within the valid time, thereby avoiding repeated calls to the interface for a long time.
2. Implementation mechanism of API interface signature verification
- Signature verification flowchart
1 The client applies to the server for appKey and appSecret, and the server issues the appKey and appSecret.
2 The client integrates the SDK to generate a sign, and sends the appKey, request parameters, timestamp, and sign to the server. The server uses the signature rules in the SDK to generate a signature according to the request parameters to verify the validity of the sign, and then returns the result.
- Code
//签名
public static Map<String, String> generateSign(String appKey, String appSecret, String url, String method) throws NoSuchAlgorithmException, InvalidKeyException {
Map<String, String> headers = new HashMap<String, String>();
SimpleDateFormat df = new SimpleDateFormat(DATE_FORMAT_STRING);
df.setTimeZone(new SimpleTimeZone(0, TIME_ZONE));
String timestamp = df.format(new Date());
StringBuilder stringToSign = new StringBuilder();
stringToSign.append(method.toUpperCase()).append(url).append(timestamp);
String signature = sign(appSecret, stringToSign.toString());
headers.put("signature", signature);
headers.put("appKey", appKey);
headers.put("timestamp", timestamp);
return headers;
}
//验证签名
public static String validateSign(String appSecret, String url, String method, String timestamp) throws NoSuchAlgorithmException, InvalidKeyException {
StringBuilder stringToSign = new StringBuilder();
stringToSign.append(method.toUpperCase()).append(url).append(timestamp);
return sign(appSecret, stringToSign.toString());
}
//签名和验签公用方法
private static String sign(String appSecret, String stringToSign)
throws InvalidKeyException, NoSuchAlgorithmException {
SecretKeySpec signingKey = new SecretKeySpec(appSecret.getBytes(CHARSET), "HmacSHA1");
Mac mac = Mac.getInstance(ALGORITHM_HMAC_SHA1);
mac.init(signingKey);
byte[] data = mac.doFinal(stringToSign.getBytes(CHARSET));
return Base64.getEncoder().encodeToString(data);
}Reference document: https://help.aliyun.com/document_detail/101343.html?spm=a2c4g.11186623.6.574.6fa75ffal5uEms